{ "id": "b51a3428-ae6e-4cf4-ac20-50d64dac514c", "created_at": "2026-04-06T00:06:09.065364Z", "updated_at": "2026-04-10T03:36:33.986619Z", "deleted_at": null, "sha1_hash": "266e6d494782a838c28c31ffd32cecd764ffa49f", "title": "Risky Biz News: Cyber Partisans hack and disrupt Kremlin censor", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1025340, "plain_text": "Risky Biz News: Cyber Partisans hack and disrupt Kremlin censor\r\nBy Catalin Cimpanu\r\nPublished: 2023-03-08 · Archived: 2026-04-05 14:57:34 UTC\r\nThis newsletter is brought to you by Airlock Digital, Proofpoint, runZero, and Thinkst Canary. You can subscribe to an\r\naudio version of this newsletter as a podcast by searching for \"Risky Business News\" in your podcatcher or subscribing\r\nvia this RSS feed.\r\nBelarusian hacktivist group Cyber Partisans has hacked the Russian General Radio Frequency Center (GRFC), a smaller\r\nsub-agency that's part of the Roskomnadzor, the Russian government's telecommunications watchdog.\r\nIn Telegram and Twitter posts, the Cyber Partisans said they gained access to the agency's internal network, from where they\r\nstole more than 2TB of emails and documents before trashing its domain controller and encrypting local workstations.\r\n\"The work of the chief Kremlin censor has been disrupted,\" the group boasted.\r\n\"We also have a huge amount of material proving large-scale surveillance on the network and attempts to establish total\r\ncontrol over everyone who has spoken out against the Putin regime over the past 20 years,\" they added, promising to\r\nshare the stolen data with journalists.\r\nThe GRFC confirmed the breach to Kommersant and blamed the hack on the use of a \"previously unused vulnerability,\" but\r\nthe agency vehemently denied that any employee workstations were encrypted.\r\nThe incident marks the second time the Roskomnadzor has dealt with a major security breach this year after the Anonymous\r\nhacker collective also breached and then leaked more than 800TB of data from the agency's servers earlier this year in\r\nMarch. The leaked documents showed the agency actively intervening and censoring the narrative around Russia's role in\r\nUkraine, such as prohibiting the use of the word invasion to describe Russia’s so-called \"special military operation.\"\r\nVanuatu ransomware attack: The government of the small island nation of Vanuatu was hit by a ransomware\r\nattack that crippled most of the government's IT networks and forced staff back to pen and paper. According to a report from\r\nthe Sydney Morning Herald, a team from the Australian Cyber Security Centre is currently helping Vanuatu officials recover\r\ntheir network from the attack.\r\nAirAsia ransomware attack: Malaysian airline AirAsia was the victim of a ransomware attack earlier this month.\r\nAccording to a report in DataBreaches.net, the company was hit by the Daixin Team ransomware group, which claims to\r\nhave stolen data on more than five million of the airline's passengers, data they are now threatening to leak online.\r\nWickr shuts down free IM service: Secure instant messaging service Wickr announced that it would shut down its free\r\nservice to focus on its commercial offering. The company said it would not accept new user registrations after December 31,\r\n2022, and will discontinue the Wickr Me service on December 31, 2023. Amazon acquired Wickr in June 2021 and was\r\nplanning to use it as an E2EE service for its commercial enterprise offerings—now known as AWS Wickr.\r\nTwitter does its thing: A network of Twitter bot accounts has been blamed for stoking riots and physical clashes between\r\nIndian and Pakistani supporters at the end of August in the UK city of Leicester. More than 500 accounts were spotted\r\nurging both groups to violence, with some accounts tweeting as much as 500 times per minute. [Additional coverage\r\nin Bloomberg/non-paywalled]\r\nhttps://riskybiznews.substack.com/p/risky-biz-news-cyber-partisans-hack\r\nPage 1 of 6\n\n\"After the first instances of fake videos spread on Twitter, a 'highly orchestrated echo chamber,' from India kicked\r\ninto amplify tweets 'solely blaming Muslims for the events in Leicester,' the report claimed, which in turned\r\nspurred even more violence against Hindus in Leicester.\"\r\nPasskeys support directory: After it added support for passkeys in its password manager, 1Password has also created\r\na web directory listing all online services currently supporting passkey authentication.\r\nQuantum encryption deadline: The Office of Management and Budget has ordered federal agencies to scan their systems\r\nand provide an inventory of assets containing cryptographic systems that could be cracked by quantum computers in the\r\ncoming years. Agencies have a deadline until May 4, 2023, according to an OMB memo [PDF]. The memo comes after the\r\nWhite House directed US government agencies to mitigate risks from quantum computers earlier this year and after the NSA\r\nordered that all government agencies that handle classified information must use quantum-resistant encryption algorithms by\r\n2035. [Additional coverage in FedScoop]\r\nAGs ask FTC for online privacy regulation: A coalition of 33 state attorneys general have urged the US Federal Trade\r\nCommission to pass regulation around online data collection practices. AGs said they are \"concerned about the alarming\r\namount of sensitive consumer data that is amassed, manipulated, and monetized,\" and that they regularly receive inquiries\r\nfrom consumers about how their data is being hoarded and abused. [Read the full letter here/PDF]\r\nIndian privacy regulation: The Indian government has published the long-awaited first public draft of its upcoming data\r\nprivacy law—known as the Digital Personal Data Protection Bill. According to the law's text, companies that operate in\r\nIndia and handle the personal data of Indian citizens must use clear and plain language to describe what data they collect and\r\nfor what purpose. The new law includes many clauses similar to the EU GDPR, such as requiring companies to notify users\r\nabout security breaches, and allowing users to delete their data from online services. Companies that fail to comply with this\r\nupcoming regulation risk some of the largest fines in the world for a privacy breach, fines of up to 500 crore rupees—up to\r\n$61 million.\r\nIran info-op in Latin America: Threat intelligence company Recorded Future has published a report detailing a years-long\r\ninfluence operation carried out by the Iranian and Venezuelan governments that targeted audiences in Latin America. The\r\ncampaign revolves around the Colombian businessman Alex Saab, detained and extradited by the US from Cape Verde in\r\n2020 for helping the Venezuelan government establish business ties with Iran and avoid US sanctions. Recorded Future\r\nhttps://riskybiznews.substack.com/p/risky-biz-news-cyber-partisans-hack\r\nPage 2 of 6\n\nclaims that since Saab's arrest, news outlets associated with the Iranian and Venezuelan governments, together with social\r\nmedia \"influencer\" accounts, have promoted the idea across Latin America that Saab, who was appointed as a special envoy\r\nfor the Venezuelan government, was kidnapped by the US in contradiction to diplomatic immunity and international norms.\r\nRussian bill to seize cybercrime profits: Two Russian government officials have submitted a bill to the Russian State\r\nDuma with an amendment to the Russian criminal code that would allow the Russian government to easily seize funds\r\nobtained through cybercrime offenses, Kommersant reported. According to the bill's text, the government plans to use the\r\nseized funds to compensate victims.\r\nRunZero is one of this newsletter's four main supporters and this week's featured sponsor. The company's main product is its\r\nnetwork discovery and asset inventory platform, which can be used to find any managed and unmanaged assets inside a\r\ncustomer's network. To learn more, please check out this runZero product demo below:\r\nHackers detained in South Korea: South Korean police have arrested ten suspects who allegedly orchestrated a very\r\ntargeted phishing campaign against the owners of popular Naver blogs. Police said the gang targeted only 500 of the most\r\npopular Naver blogs, managed to hack into 18, and made 200 million won ($149,000) from reselling the accounts to third\r\nparties. Officials said they are still hunting for other suspects who they believe helped the hackers.\r\nNew threat actor: A threat actor going by the name of IntelBroker is claiming to have breached several US government\r\nagencies and is now running ads on underground hacking forums claiming to sell more than 2 GB of files stolen from the\r\nagencies' networks. While the group has made bold claims, several security researchers have indicated that the ad might be a\r\nscam, as the actor has not provided any evidence of a widespread breach of the US government. The threat actor's name also\r\nseems to be tied to a new Ransomware-as-a-Service portal called Endurance, and security researchers believe this might be a\r\nclever ruse to draw affiliates to the new service. \"Not sure what their angle is, but it seems like notoriety maybe for a quick\r\nexit scam,\" threat intel analyst CyberKnow told RiskyBizNews over the weekend.\r\nhttps://riskybiznews.substack.com/p/risky-biz-news-cyber-partisans-hack\r\nPage 3 of 6\n\nAleksandar Milenkoski@milenkowski\r\nThe repository hosts the source code of the Endurance #wiper. A comment in the source code indicates that IntelBroker is\r\nnot part of a group and that #Endurance is an on-going project.\r\n7:10 PM · Nov 16, 2022\r\n3 Likes\r\nDDoS attacks on DNS servers: A CAIDA research paper has found that DDoS attacks targeted \"millions of domains (up to\r\n5% of the DNS namespace)\" but that \"most attacks did not substantially harm DNS performance,\" even if some attacks did\r\nend up bringing down services or increasing resolution times of up to 100 times. The research paper analyzed data from a\r\n17-month period between November 2020 and March 2022.\r\nMalware on Telegram: Russian security firm Positive Technologies published a report on Telegram's budding cybercrime\r\necosystem. According to the company's scans, Telegram has slowly replaced hacking forums and is currently being used for\r\nadvertising a wide spectrum of hacking services and malware, with the sale of remote access trojans, corporate network\r\naccounts, and cash-out services being some of the most popular topics on the platform.\r\nNew npm malware: Check out GitHub's security advisory portal for details.\r\nEmotet's return: Deep Instinct researchers have an analysis of Emotet's return, the infamous spam botnet that has been\r\nasleep since June this year. More on this from Proofpoint too.\r\nConti off-shoots: Equinix security researcher William Thomas has a report on how members of the former Conti gang have\r\nscattered across the malware ecosystem since disbanding in early 2022.\r\n\"The members of Conti have continued attacks, but seemingly under several different names,\r\nincluding Quantum, Royal, and Black Basta (also highlighted by Vitali Kremez here). Campaigns previously\r\nattributed to Conti such as Karakurt and Diavol have also continued in 2022 since the leaks. These new data-theft-extortion ransomware campaigns, though, have been supported by malware other than Trickbot and BazarLoader,\r\nthis includes the new BumbleBee malware, as well as three malware botnets previously associated with Conti\r\nattacks: IcedID, Qakbot, and Emotet.\"\r\nhttps://riskybiznews.substack.com/p/risky-biz-news-cyber-partisans-hack\r\nPage 4 of 6\n\nZeppelin ransomware decrypter: Cybersecurity firm Unit221b said it found a design flaw in the encryption scheme of the\r\nZeppelin ransomware in February 2020, and for the past two years, the company has been using this vulnerability to allow\r\nvictims to recover their files without paying the attackers. Unit221b disclosed their findings at the Black Hat security\r\nconference held last week in Riyadh, Saudi Arabia, after noticing that attacks with the Zeppelin ransomware slowed down to\r\na crawl this year, suggesting that the gang's had lost faith in their encrypter. [Additional coverage in KrebsOnSecurity]\r\nVenus ransomware: SentinelOne has published a technical breakdown of the Venus ransomware, also known as Goodgame\r\nransomware. The ransomware is known for targeting systems and networks that run unprotected RDP endpoints, which it\r\nuses as entry points for the attack, and has been recently at the center of a security alert [PDF] issued by the US Department\r\nof Health and Human Services.\r\nAgent Tesla: The Splunk team has a report out on the Agent Tesla remote access trojan and its technical guts and modus\r\noperandi. OALABS also has some IOCs and detecting advice for it too.\r\nQakBot updates: Securonix researchers have published a report on the recent updates to the QakBot (Qbot) malware code.\r\nFor the technical only.\r\nW4SP Stealer: Checkmarx researcher Jossef Harush Kadouri has published an analysis of the W4SP Stealer (or WASP\r\nStealer) that was recently used in two PyPI-based supply chain attacks. In a more recent attack spotted by Phylum, the group\r\nbehind this malware appears to be using the names of popular organizations to continue to spread their RAT via\r\nboobytrapped PyPI packages.\r\nCobalt Strike detections:   The Google Cloud security team has released a set of open-source YARA Rules and\r\na VirusTotal Collection to help security practitioners flag and identify Cobalt Strike components and specific Cobalt Strike\r\nversions on their networks.\r\n\"We decided that detecting the exact version of Cobalt Strike was an important component to determining the\r\nlegitimacy of its use by non-malicious actors since some versions have been abused by threat actors.\"\r\nEarth Preta: Trend Micro has an analysis of some recent spear-phishing operations carried out by the Earth Preta APT\r\nagainst government networks worldwide. The operation began in March this year and tried to infect victims with malware\r\nsuch as TONEINS, TONESHELL, and PUBLOAD. The group is also known as Mustang Panda and Bronze President.\r\nhttps://riskybiznews.substack.com/p/risky-biz-news-cyber-partisans-hack\r\nPage 5 of 6\n\nGRU 26165: The Atlantic Council has a report on GRU Unit 26165, a cyber unit of the Russian military intelligence service\r\nthat has used on-site agents to hack into their targets' networks. The unit has been linked to an attempted hack of the\r\nOrganization for the Prohibition of Chemical Weapons (OPCW), based in Amsterdam, the Netherlands.\r\n\"After loading a car with technical equipment—including a wireless network panel antenna to intercept traffic—\r\nthe four individuals scouted the OPCW's headquarters in The Hague for days, taking photos and circling the\r\nbuilding before being intercepted by the Dutch General Intelligence and Security Service (Algemene Inlichtingen-en Veiligheidsdienst or AIVD) and sent back to Moscow. Seemingly, the plan had been for the operatives to hack\r\ninto the OPCW's systems to disrupt investigations into the attempted GRU chemical weapon attack [on former\r\nRussian intelligence officer Sergei Skripal and his daughter Yulia in Salisbury, England].\"\r\nInfineon vulnerability: German chipmaker Infineon is apparently using an eight-year-old version of OpenSSL for the\r\ntrusted-platform module (TPM) for some of its chips, according to a report from Binarly, a security firm specialized in\r\nfirmware security. Other companies like Lenovo, Dell, and HP were also found to use extremely old versions of OpenSSL as\r\nwell, with Lenovo and Dell using an OpenSSL version released back in 2009.\r\nCVE-2022-35803: NorthSec researchers have published details on CVE-2022-35803, a vulnerability in the Windows\r\nCommon Log File System (CLFS) logging service that Microsoft patched earlier this year in September.\r\nCVE-2022-26696: SecuRing researcher Wojciech Reguła has published details on CVE-2022-26696, a vulnerability in the\r\nmacOS Terminal that can be exploited to escape the macOS sandbox. The bug was fixed in mid-September 2022.\r\nAcquisition news: Palo Alto Networks announced plans to buy Cider Security, a company that develops application security\r\n(AppSec) and software supply chain security solutions.\r\nOpenSSF adopts S2C2F: The Open Source Security Foundation (OpenSSF) has adopted the Secure Supply Chain\r\nConsumption Framework (S2C2F), a policy framework developed by Microsoft for hardening projects against supply chain\r\nattacks.\r\nProject Spaceman: An article from Richard J. Aldrich goes into Project Spaceman, a project by British computer maker\r\nICL that provided secure systems to the MI5 and the British government in the early 80s.\r\nNew tool—MI-X: Cybersecurity firm Rezilion has open-sourced a tool named MI-X (Am I Exploitable?) that allows\r\nresearchers and developers to know if their containers and hosts are impacted by specific, high-profile vulnerabilities.\r\nResponderCon 2022 videos: Talks from the ResponderCon 2022 security conference, which took place in September,\r\nare available on YouTube.\r\nSource: https://riskybiznews.substack.com/p/risky-biz-news-cyber-partisans-hack\r\nhttps://riskybiznews.substack.com/p/risky-biz-news-cyber-partisans-hack\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "references": [ "https://riskybiznews.substack.com/p/risky-biz-news-cyber-partisans-hack" ], "report_names": [ "risky-biz-news-cyber-partisans-hack" ], "threat_actors": [ { "id": "86ab2e9a-75b1-48af-8313-0a5ec1f7d12c", "created_at": "2023-12-03T02:00:05.154685Z", "updated_at": "2026-04-10T02:00:03.488062Z", "deleted_at": null, "main_name": "Daixin Team", "aliases": [], "source_name": "MISPGALAXY:Daixin Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4f472ea8-b147-486d-8533-88f8036343a6", "created_at": "2024-01-23T13:22:35.081084Z", "updated_at": "2026-04-10T02:00:03.520098Z", "deleted_at": null, "main_name": "Cyber Partisans", "aliases": [], "source_name": "MISPGALAXY:Cyber Partisans", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f9806b99-e392-46f1-9c13-885e376b239f", "created_at": "2023-01-06T13:46:39.431871Z", "updated_at": "2026-04-10T02:00:03.325163Z", "deleted_at": null, "main_name": "Watchdog", "aliases": [ "Thief Libra" ], "source_name": "MISPGALAXY:Watchdog", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0263e1e1-4568-410a-a5e4-6932db1d40da", "created_at": "2024-06-26T02:00:04.854969Z", "updated_at": "2026-04-10T02:00:03.667295Z", "deleted_at": null, "main_name": "IntelBroker", "aliases": [], "source_name": "MISPGALAXY:IntelBroker", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775433969, "ts_updated_at": 1775792193, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/266e6d494782a838c28c31ffd32cecd764ffa49f.pdf", "text": "https://archive.orkl.eu/266e6d494782a838c28c31ffd32cecd764ffa49f.txt", "img": "https://archive.orkl.eu/266e6d494782a838c28c31ffd32cecd764ffa49f.jpg" } }